/*
* Instantiate |drbg|, after it has been initialized. Use |pers| and
* |perslen| as prediction-resistance input.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
*/
int RAND_DRBG_instantiate(RAND_DRBG *drbg,
const unsigned char *pers, size_t perslen)
/*
* Uninstantiate |drbg|. Must be instantiated before it can be used.
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
*/
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
/*
* Reseed |drbg|, mixing in the specified data
+ *
+ * Requires that drbg->lock is already locked for write, if non-null.
*/
int RAND_DRBG_reseed(RAND_DRBG *drbg,
const unsigned char *adin, size_t adinlen)
* to or if |prediction_resistance| is set. Additional input can be
* sent in |adin| and |adinlen|.
*
+ * Requires that drbg->lock is already locked for write, if non-null.
+ *
* Returns 1 on success, 0 on failure.
*
*/
if (buffer != NULL) {
size_t bytes = 0;
- /* Get entropy from parent, include our state as additional input */
+ /*
+ * Get random from parent, include our state as additional input.
+ * Our lock is already held, but we need to lock our parent before
+ * generating bits from it.
+ */
+ if (drbg->parent->lock)
+ CRYPTO_THREAD_write_lock(drbg->parent->lock);
if (RAND_DRBG_generate(drbg->parent,
buffer, bytes_needed,
0,
(unsigned char *)drbg, sizeof(*drbg)) != 0)
bytes = bytes_needed;
+ if (drbg->parent->lock)
+ CRYPTO_THREAD_unlock(drbg->parent->lock);
entropy_available = RAND_POOL_add_end(pool, bytes, 8 * bytes);
}
{
const RAND_METHOD *meth = RAND_get_rand_method();
RAND_DRBG *drbg;
+ int ret;
if (meth != RAND_OpenSSL())
return RAND_bytes(buf, num);
if (drbg == NULL)
return 0;
- return RAND_DRBG_generate(drbg, buf, num, 0, NULL, 0);
+ /* We have to lock the DRBG before generating bits from it. */
+ CRYPTO_THREAD_write_lock(drbg->lock);
+ ret = RAND_DRBG_generate(drbg, buf, num, 0, NULL, 0);
+ CRYPTO_THREAD_unlock(drbg->lock);
+ return ret;
}
int RAND_bytes(unsigned char *buf, int num)
int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
{
- if (s->drbg != NULL)
- return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0);
+ if (s->drbg != NULL) {
+ /*
+ * Currently, it's the duty of the caller to serialize the generate
+ * requests to the DRBG. So formally we have to check whether
+ * s->drbg->lock != NULL and take the lock if this is the case.
+ * However, this DRBG is unique to a given SSL object, and we already
+ * require that SSL objects are only accessed by a single thread at
+ * a given time. Also, SSL DRBGs have no child DRBG, so there is
+ * no risk that this DRBG is accessed by a child DRBG in parallel
+ * for reseeding. As such, we can rely on the application's
+ * serialization of SSL accesses for the needed concurrency protection
+ * here.
+ */
+ return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0);
+ }
return RAND_bytes(rnd, (int)size);
}